|
RBT in Healthcare: Medical Device Maladies
|
In 2011, at a hacking convention known as Black Hat, a security researcher and insulin pump user demonstrated how he could remotely disable and modify his insulin pump over a wireless connection using inexpensive and readily available equipment(1). In 2012, another security researcher demonstrated how he could capture and reverse engineer wireless communication from a Implantable Cardioverter Defibrillator (ICD) and cause the device to deliver a lethal shock to the heart(2). Then this year another security researcher was able to connect to a commonly used infusion pump and alter the firmware (the software on the device that provides the rules for how it communicates with other hardware) which could give the hacker complete control of the device allowing an overdose to be given while disabling the alarm(3). Far fetched you say? Consider that former vice president Dick Cheney, who has an ICD, recently revealed that he and his doctor were concerned enough that the wireless capabilities of his device were disabled(4). The FDA also seems to be taking this issue seriously. A quick search of their medical devices page returned 73 different communications about cybersecurity in medical devices since 2013. Clearly this is not another overblown issue like Y2K.
So how can these devices be hacked? In the case of the infusion pumps, it is related to the connection that these devices have with the Internet. Most pumps have the capability to be hooked up to a network so that remote monitoring can be done and so that firmware updates can be released from the manufacturer to fix bugs or (ironically) security issues. Security researchers are able to hijack the device through the internet connection and modify it to basically reprogram the pump. ICD'S are hacked in a similar fashion by analyzing and spoofing the wireless signal used to program the device. One method is to simply issue battery intensive commands rendering the device powerless(5) while another is delivering a lethal shock as noted above. The insulin pump example given can be done either by modifying the continuous glucose monitor (CGM) (again through spoofing wireless transmissions) to give a higher reading than actually exists or to directly change the configuration settings on the pump itself on how insulin doses are calculated(6). It is important to remember that these are potential attacks. To date, none of these have happened in a clinical setting, but they are possible.
What cybersecurity threats are happening right now involving medical devices? In a word – malware. TrapX, a security company thoroughly examined three hospitals for the presence of malware(7). The results were astounding. They found malware in X-ray equipment, blood gas analyzers, CT scanners, and ventilators, as well as infusion pumps. The interesting thing about this accumulation of malware is that it doesn't appear that the hackers are specifically targeting medical devices, but rather just look for a “back door” into the hospital network. One way they find these back doors is through a search engine known as Shodan, a search engine for “things” as opposed to Google, a search engine of documents and information. Through Shodan things like traffic light control systems, web cams, nuclear power plants, and yes, medical devices from connected intravenous pumps to MRI machines(8). The scary thing is, it doesn't take an experienced hacker to find these devices online, a simple 5-minute tutorial (found on YouTube) can have anyone up and running.
So why are hackers so interested in hospital networks? Medical information. According to an article by Reuters, medical data is now worth ten times as much as a stolen credit card number. The hackers get the information and can create an ID to order medical equipment or drugs for resale and may even fraudulently bill insurance companies using a fake (or stolen) provider number. According to data from Health and Human Services analyzed by The Washington Post, data from more than 120 million people has been accessed in more than 1,100 different breaches since 2009(9). That is 1/3 of the US population. In addition to billing for fraudulent services, this report also details another risk where service is provided for another patient in the victim's name, which may lead to erroneous medical information being entered into the record, blood type or allergies, for example, which is a potential life threatening error. (10)
To get into hospital (and other medical) networks the weakest link, and therefore the most tempting targets, are medical devices. Why is this? Consider the differences in a computer server that runs the back end of a network in a hospital and an infusion pump connected to the network. The hospital's IT department can update or upgrade the software on the server as needed. They can purchase third party security software to protect against attacks on the network that are constantly updated with the latest information while the infusion pump is a turnkey device that likely runs an outdated operating system such as Windows XP or even Windows 2000, third party cyber defense software cannot be installed by the hospital and in most cases any updates to the firmware (or operating system) must be approved by the FDA which leads to a significant lag in the time between the time a threat is discovered and when it is fixed. This makes medical devices the most vulnerable attack vectors.
TrapX, a security company that specializes in medical device attacks, outlined how these attacks occur in a report titled “ANATOMY OF AN ATTACK: MEDJACK (Medical Device Hijack)” in May of 2015. In this report several case studies are examined in detail. In the first case study, malware was inserted on a blood gas analyzer. These analyzers were used in critical care units, in surgery and in post anesthesia care units, so there were several areas of the network attached to these machines. In this particular case the hospital had a strong suite of cyber defense products including strong firewalls, intrusion detection systems and a highly trained staff, but hackers were still able to access the network via the weak link of the blood gas analyzers. Eventually a breach was found through which data was being ex-filtrated to a location thought to be in Europe. Furthermore, it was determined that the data flowing through the blood gas analyzer was unencrypted and was thus susceptible to manipulation, either inadvertently or on purpose(11).
In the next study, an attack that used the PACS (picture and archive communication system) was studied. The PACS system was used by the radiology department to store images from a variety of sources such as x-ray machines, CT scanners, MRI scanners and ultrasound machines. The data on this system is accessed not only by hospital employees, but also by doctors in their individual offices. Malware was found on this system that was accessing medical data and ex-filtrating it to a location in China. The source of the malware was traced to an end user in the hospital who went to a malicious website on a browser which used a java exploit to plant the malware on the hospital system. The hospital's cyber defense software did detect and remove it, but not before it had spread to the PACS, which was off limits to the protective program.
It's obvious from looking at this problem that it cannot continue to be ignored. No reports indicate that anyone has been harmed by a hacked medical device yet, but it is a possibility. However, the theft of medical information is occurring right now, possibly in organizations that have no idea that it is happening. What can be done to stop these hackers? A partial list of recommendations:
For implanted devices, there is a new prototype of “firewall” that monitors all communication to and from wireless devices to spot unauthorized access and then warns the user or jams the signal (12). Researchers at Rice University, in conjunction with the security company RSA are working on a system which will only update the implanted device when a wand that is held near the patient, records the patient's heartbeat and compares it with a signal from the implanted device. If they match, the update is allowed to continue. The signal is encrypted both ways so that it can't easily be hijacked during the exchange(13).
With a concerted effort to get health care information digitized and into databases the threats of that information being accessed for nefarious purposes will only continue to rise. The news media is currently focused on sensational accounts of intravenous or insulin pumps being taken over by hackers and programmed to give an over or underdose resulting in serious injury or death. While these types of attacks are certainly possible, the commandeering of the operating systems of medical equipment for the purposes of obtaining health care related information is happening right now. The time to plan for these hacks is right now. The important thing to remember is that security, like quality, is not a function of just one department in the organization, but rather everyone from the CEO to volunteers.
Jeff Harris is a Pharmacist with over 25 years of leadership experience in hospital, retail, and home health environments. Due to a spinal cord injury, he is currently on long term disability. Jeff is passionate about patient safety, risk management and cybersecurity issues in healthcare. He continues to research and write about improving healthcare on a pro-bono basis. He can be reached by email at [email protected]. Follow BlueSynergy on LinkedIn and Twitter .
1. http://www.darkreading.com/vulnerabilities-and-threats/insulin-pump-hack-controversy-grows/d/d-id/1099825?
2. http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/
3. http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
4. http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434
5. http://www.informationweek.com/partner-perspectives/bitdefender/hacking-vulnerable-medical-equipment-puts-millions-at-risk/a/d-id/1319873
6. https://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf
7. http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html
8. http://www.healthcareinfosecurity.com/blogs/identifying-vulnerable-medical-devices-p-1489
9. http://www.reuters.com/article/cybersecurity-usa-targets-idUSL3N0YR30R20150605
10. https://www.washingtonpost.com/news/the-switch/wp/2015/03/20/2015-is-already-the-year-of-the-health-care-hack-and-its-only-going-to-get-worse/
11. ANATOMY OF AN ATTACK: MEDJACK (Medical Device Hacking), May, 7, 2015, TrapX Security, Inc
12. http://theinstitute.ieee.org/technology-focus/technology-topic/keeping-hackers-out-of-implanted-medical-devices
13. http://www.technologyreview.com/news/519266/encrypted-heartbeats-keep-hackers-from-medical-implants/
So how can these devices be hacked? In the case of the infusion pumps, it is related to the connection that these devices have with the Internet. Most pumps have the capability to be hooked up to a network so that remote monitoring can be done and so that firmware updates can be released from the manufacturer to fix bugs or (ironically) security issues. Security researchers are able to hijack the device through the internet connection and modify it to basically reprogram the pump. ICD'S are hacked in a similar fashion by analyzing and spoofing the wireless signal used to program the device. One method is to simply issue battery intensive commands rendering the device powerless(5) while another is delivering a lethal shock as noted above. The insulin pump example given can be done either by modifying the continuous glucose monitor (CGM) (again through spoofing wireless transmissions) to give a higher reading than actually exists or to directly change the configuration settings on the pump itself on how insulin doses are calculated(6). It is important to remember that these are potential attacks. To date, none of these have happened in a clinical setting, but they are possible.
What cybersecurity threats are happening right now involving medical devices? In a word – malware. TrapX, a security company thoroughly examined three hospitals for the presence of malware(7). The results were astounding. They found malware in X-ray equipment, blood gas analyzers, CT scanners, and ventilators, as well as infusion pumps. The interesting thing about this accumulation of malware is that it doesn't appear that the hackers are specifically targeting medical devices, but rather just look for a “back door” into the hospital network. One way they find these back doors is through a search engine known as Shodan, a search engine for “things” as opposed to Google, a search engine of documents and information. Through Shodan things like traffic light control systems, web cams, nuclear power plants, and yes, medical devices from connected intravenous pumps to MRI machines(8). The scary thing is, it doesn't take an experienced hacker to find these devices online, a simple 5-minute tutorial (found on YouTube) can have anyone up and running.
So why are hackers so interested in hospital networks? Medical information. According to an article by Reuters, medical data is now worth ten times as much as a stolen credit card number. The hackers get the information and can create an ID to order medical equipment or drugs for resale and may even fraudulently bill insurance companies using a fake (or stolen) provider number. According to data from Health and Human Services analyzed by The Washington Post, data from more than 120 million people has been accessed in more than 1,100 different breaches since 2009(9). That is 1/3 of the US population. In addition to billing for fraudulent services, this report also details another risk where service is provided for another patient in the victim's name, which may lead to erroneous medical information being entered into the record, blood type or allergies, for example, which is a potential life threatening error. (10)
To get into hospital (and other medical) networks the weakest link, and therefore the most tempting targets, are medical devices. Why is this? Consider the differences in a computer server that runs the back end of a network in a hospital and an infusion pump connected to the network. The hospital's IT department can update or upgrade the software on the server as needed. They can purchase third party security software to protect against attacks on the network that are constantly updated with the latest information while the infusion pump is a turnkey device that likely runs an outdated operating system such as Windows XP or even Windows 2000, third party cyber defense software cannot be installed by the hospital and in most cases any updates to the firmware (or operating system) must be approved by the FDA which leads to a significant lag in the time between the time a threat is discovered and when it is fixed. This makes medical devices the most vulnerable attack vectors.
TrapX, a security company that specializes in medical device attacks, outlined how these attacks occur in a report titled “ANATOMY OF AN ATTACK: MEDJACK (Medical Device Hijack)” in May of 2015. In this report several case studies are examined in detail. In the first case study, malware was inserted on a blood gas analyzer. These analyzers were used in critical care units, in surgery and in post anesthesia care units, so there were several areas of the network attached to these machines. In this particular case the hospital had a strong suite of cyber defense products including strong firewalls, intrusion detection systems and a highly trained staff, but hackers were still able to access the network via the weak link of the blood gas analyzers. Eventually a breach was found through which data was being ex-filtrated to a location thought to be in Europe. Furthermore, it was determined that the data flowing through the blood gas analyzer was unencrypted and was thus susceptible to manipulation, either inadvertently or on purpose(11).
In the next study, an attack that used the PACS (picture and archive communication system) was studied. The PACS system was used by the radiology department to store images from a variety of sources such as x-ray machines, CT scanners, MRI scanners and ultrasound machines. The data on this system is accessed not only by hospital employees, but also by doctors in their individual offices. Malware was found on this system that was accessing medical data and ex-filtrating it to a location in China. The source of the malware was traced to an end user in the hospital who went to a malicious website on a browser which used a java exploit to plant the malware on the hospital system. The hospital's cyber defense software did detect and remove it, but not before it had spread to the PACS, which was off limits to the protective program.
It's obvious from looking at this problem that it cannot continue to be ignored. No reports indicate that anyone has been harmed by a hacked medical device yet, but it is a possibility. However, the theft of medical information is occurring right now, possibly in organizations that have no idea that it is happening. What can be done to stop these hackers? A partial list of recommendations:
- Review and update all contracts with medical equipment suppliers. Must be specific language included about checking for malware on the equipment, policies for secure and prompt updates, and the ability to set passwords in house. Updates should be done in a timely manner and should use a security network and use digitally signed software.
- Consider that all of your current medical devices are likely infected and work with manufacturers to decontaminate or replace these devices.
- Access to medical devices should be restricted as much as possible. All unnecessary ports and services should be disabled.
- Security of the hospital network should be evaluated in it's entirety. Educate all employees of the need to avoid using USB keys and being security conscious at all times.
For implanted devices, there is a new prototype of “firewall” that monitors all communication to and from wireless devices to spot unauthorized access and then warns the user or jams the signal (12). Researchers at Rice University, in conjunction with the security company RSA are working on a system which will only update the implanted device when a wand that is held near the patient, records the patient's heartbeat and compares it with a signal from the implanted device. If they match, the update is allowed to continue. The signal is encrypted both ways so that it can't easily be hijacked during the exchange(13).
With a concerted effort to get health care information digitized and into databases the threats of that information being accessed for nefarious purposes will only continue to rise. The news media is currently focused on sensational accounts of intravenous or insulin pumps being taken over by hackers and programmed to give an over or underdose resulting in serious injury or death. While these types of attacks are certainly possible, the commandeering of the operating systems of medical equipment for the purposes of obtaining health care related information is happening right now. The time to plan for these hacks is right now. The important thing to remember is that security, like quality, is not a function of just one department in the organization, but rather everyone from the CEO to volunteers.
Jeff Harris is a Pharmacist with over 25 years of leadership experience in hospital, retail, and home health environments. Due to a spinal cord injury, he is currently on long term disability. Jeff is passionate about patient safety, risk management and cybersecurity issues in healthcare. He continues to research and write about improving healthcare on a pro-bono basis. He can be reached by email at [email protected]. Follow BlueSynergy on LinkedIn and Twitter .
1. http://www.darkreading.com/vulnerabilities-and-threats/insulin-pump-hack-controversy-grows/d/d-id/1099825?
2. http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/
3. http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
4. http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434
5. http://www.informationweek.com/partner-perspectives/bitdefender/hacking-vulnerable-medical-equipment-puts-millions-at-risk/a/d-id/1319873
6. https://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf
7. http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html
8. http://www.healthcareinfosecurity.com/blogs/identifying-vulnerable-medical-devices-p-1489
9. http://www.reuters.com/article/cybersecurity-usa-targets-idUSL3N0YR30R20150605
10. https://www.washingtonpost.com/news/the-switch/wp/2015/03/20/2015-is-already-the-year-of-the-health-care-hack-and-its-only-going-to-get-worse/
11. ANATOMY OF AN ATTACK: MEDJACK (Medical Device Hacking), May, 7, 2015, TrapX Security, Inc
12. http://theinstitute.ieee.org/technology-focus/technology-topic/keeping-hackers-out-of-implanted-medical-devices
13. http://www.technologyreview.com/news/519266/encrypted-heartbeats-keep-hackers-from-medical-implants/